Since enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) began on May 25, 2018, a flurry of activity in the data privacy realm has rippled across the globe. As the new gold standard in data privacy, the GDPR is not only the most stringent data privacy policy to date, it imposes the heaviest penalties for non-compliance. In the U.S. and in other countries, governments are borrowing concepts of the GDPR as they strive to protect their citizens and empower them to have better control of their personal data.
Organizations should take steps now to ensure they have proper access to privacy expertise in order to better understand how these developing regulations will affect their decisions, operations, processes/policies and compliance efforts.
In June, the California state legislature signed the California Consumer Privacy Act of 2018, effective in 2020. The bill passed unanimously, reflecting widespread concern over data privacy. Like the GDPR, the California bill is a landmark policy in the data protection field, and while it may not be as comprehensive as the GDPR, it shares many similarities. Included policies in the California act enable consumers (referred to as data subjects) as follows:
As with other new data laws, breaches will incur serious fines with the potential to cost organizations millions.
A document by Senator Mark Warner, also recently in the news, provides options for Congress to meet U.S. data privacy objectives. Suggestions include many GDPR-like requirements, such as a 72-hour breach notification window and increased data subject rights. It also includes recommendations, such as:
By engaging data privacy experts now, organizations can be prepared when new policies are implemented.
The Parliament of India is getting closer to enacting its own data protection law. In July, the Ministry of Electronics and Information Technology accepted two new documents from the Srikrisha Committee: an initial data privacy assessment and recommendations, and a draft of the Personal Data Protection Bill. The Personal Data Protection Bill borrows heavily from the GDPR, including heavy fines for non-compliance. Most notably, under the Personal Data Protection Bill, fines could add up daily until corrections are made. Another unique requirement of this bill is making waves in the data privacy industry: a stipulation that a copy of personal data must reside in India.
With a population of over one billion, India has not only one of the largest internet user bases in the world, but also one of the fastest growing digital economies. For years, IT industry leaders in India have been concerned about data privacy practices that are frequently overlooked, given the rapid pace of development. There are many benefits to global organizations if this data privacy law goes into effect. Companies that conduct business in India should take steps now to safeguard personal information.
As awareness of digital privacy around the globe increases, organizations and citizens alike are making more privacy-minded decisions. Now is the best time to start preparing your organization for international data privacy legislation changes with the following steps:
Data protection policies are rapidly changing and developing worldwide. Taking proactive steps will help your organization develop a sustainable data privacy program that is ready to adapt to evolving global regulations.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.